Presentation is loading. Please wait.

Presentation is loading. Please wait.

UTSA IS 6353 Security Incident Response

Published byJayson Cook Modified over 7 years ago

Similar presentations

Presentation on theme: "UTSA IS 6353 Security Incident Response"— Presentation transcript:

1 Lesson 10 Incident Response Toolkits “Who said there were no free lunches anymore?”

2 UTSA IS 6353 Security Incident Response
Overview Cygwin Data Integrity Tools Drive Tools Viewers Search Tools Forensics Programs UTSA IS 6353 Security Incident Response

3 UTSA IS 6353 Security Incident Response
CYGWIN A Unix environment for Windows: A DLL (cygwin1.dll) which acts as a UNIX emulation layer providing substantial UNIX API functionality A collection of tools, ported from UNIX, which provide UNIX/Linux look and feel The Cygwin DLL works with all versions of Windows since Windows 95, with the exception of Windows CE UTSA IS 6353 Security Incident Response

4 UTSA IS 6353 Security Incident Response
CYGWIN Where to get it: What’s included: date time uptime uname –a hostname whoami env ps netstat arp UTSA IS 6353 Security Incident Response

5 UTSA IS 6353 Security Incident Response
Data Integrity Tools Goal: maintain the chain of evidence and integrity of tools Maresware’s Disk_crc MD5 Summer UTSA IS 6353 Security Incident Response

6 UTSA IS 6353 Security Incident Response
Network Tool NetCat/Cryptcat Creates a channel of communication between hosts Used during forensics to create a reliable, TCP connection between the target system and the forensic workstation Cryptcat provides for encryption UTSA IS 6353 Security Incident Response

7 UTSA IS 6353 Security Incident Response
Netcat Commands Forensic workstation ( ) command E:\>nc –l –p 2222 > yourfilename Translation: execute netcat in listen mode on port 2222 and pipe inbound traffic to “yourfilename” Sending output from target system A:> pslist | nc Translation: execute pslist and pipe output to netcat and netcat will transmit to port 2222 UTSA IS 6353 Security Incident Response

8 UTSA IS 6353 Security Incident Response
Netcat in Action Hacked Machine Forensics Workstation time date loggedon fport pslist Nbtstat - c Run trusted commands on Hacked Machine Send output of commands to forensics workstation using netcat Perform off-line review MD5SUM output files UTSA IS 6353 Security Incident Response

9 Netcat Command Sequence
Forensics Workstation Hacked Machine time date loggedon fport pslist Nbtstat - c A:>time | nc A:>date | nc * A:>Nbtstat – c | nc C:>nc – l – p 2222 > forensics.txt C:>md5sum forensics.txt > ????? UTSA IS 6353 Security Incident Response

10 UTSA IS 6353 Security Incident Response
Drive Tools Goal: allow collection of various hard/floppy/CD forensics Partition Tools fdisk (for Linux, DOS version obsolete) Partinfo (free) PartitionMagic(includes Partinfo but cost $) CD-R Utilities CD-R Diagnostics ( Unerase Tools Windows: Norton Utilities Diskedit & unerase Unix: e2recover FilesScavenger UTSA IS 6353 Security Incident Response

11 UTSA IS 6353 Security Incident Response
Drive Tools(2) Drive Imagers NTI’s SafeBack SnapBack Ghost--Symantec Dd—the Unix command Disk Wipers DiskScrub from NTI UTSA IS 6353 Security Incident Response

12 UTSA IS 6353 Security Incident Response
File Viewers Goal: allow investigator to discover, view, and analyze files on all operating systems QuickViewPlus Views over 200 file types Conversion Plus Views Mac files on Windows ThumbsPlus – Catalogs and displays all image files UTSA IS 6353 Security Incident Response

13 UTSA IS 6353 Security Incident Response
Search Tools Goal: find keywords pertinent to investigation NTI’s dtSearch Searches text files including Outlook .pst files Danny Mares StringSearch Hidden Streams SFind ( Streams ( UTSA IS 6353 Security Incident Response

14 UTSA IS 6353 Security Incident Response
Forensics Programs Focus: collect and analyze data SANS Investigative Forensics Tool Kit (SIFT) Forensic Toolkit – Focus is on Windows NT systems The Coroners Toolkit (TCT) Investigates a hacked Unix host graverobber mac utility unrm utility lazarus tool UTSA IS 6353 Security Incident Response

15 UTSA IS 6353 Security Incident Response
Forensics Programs(2) ForenSix by Dr. Fred Cohen Runs on Linux but can access many different file systems EnCase ( Claims to be the only fully integrated Windows-based forensics application UTSA IS 6353 Security Incident Response

16 Foundstone Tools http://www.foundstone.com/resources/forensics.htm
Pasco 1.0 – IE activity forensic tool Galleta 1.0 – Examine content of cookie files from IE Rifiuti 1.0 – Examine Info2 file in the Recycle Bin Vision 1.0 – Reports open TCP/UDP ports and maps to owning process NTLast 3.0 – Security Log Analyzer ShoWin 2.0 – Show information about Windows BinText Finds strings in a file Patchit 2.0 – Binary file byte patching program UTSA IS 6353 Security Incident Response

17 Vision System Info

18 Vision Processes View

19 Vision Services View

20 Vision Services View

21 File Watch

22 Sysinternals Tools http://www.sysinternals.com/ntw2k/utilities.shtml
Monitoring Tools Diskmon 1.1 – monitors disk activity Filemon 1.1 – monitors file activity ListDLLs 2.23 – List all currently loaded DLLs NTFSInfo—Gives size and location of MFT Portmon 3.02—monitors serial and parallel ports Process Explorer 6.03 – find our what files, registry keys, and other objects process which DLLs PSTools 1.82 Regmon 6.06 – monitors registry activity UTSA IS 6353 Security Incident Response

23 UTSA IS 6353 Security Incident Response
Sysinternals Tools(2) Utilities AccessEnum 1.0 – used to find holes in file permissions NTRecover 1.0 – access dead NT disks over a serial connection NTFSDOS 3.02 – Access NTFS drives read-only from DOS Remote Recover access dead NT disks over a network connection UTSA IS 6353 Security Incident Response

24 pstools

25 pslist

26 pslist

27 Process Explorer-View 1

28 Process Explorer-View 2

29 FILEMON

30 REGMON

31 TCP/IP Monitor One Sinlge IE Access to One Web Site

32 UTSA IS 6353 Security Incident Response
Other Useful Tools Password Crackers (see pg 145) L0phtCrack – John the Ripper – Chntpw – home.eunet.no/~pnordahl/ntpasswd Fast ZipCracker – AccessData – Provides entry to a wide range of application encrypted files Elcom – UTSA IS 6353 Security Incident Response

33 UTSA IS 6353 Security Incident Response
Other Useful Tools(2) Internet References Matching Hardware Types to MAC addresses Proxy Servers available to the Public List of Defaced Web sites List of HTTP status codes File Formats and Header Specifications UTSA IS 6353 Security Incident Response

34 McAfee Visual Trace Hostile Activity From China

35 UTSA IS 6353 Security Incident Response
Summary Lots of free lunches out there when it comes to forensic tools and utilities…do some research! UTSA IS 6353 Security Incident Response

Download ppt "UTSA IS 6353 Security Incident Response"

Similar presentations

COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Chapter 13: Troubleshooting network connectivity Unit objectives Identify TCP/IP troubleshooting tools Discuss the Telnet utility and its functions Discuss.

Chapter 13: Troubleshooting network connectivity Unit objectives Identify TCP/IP troubleshooting tools Discuss the Telnet utility and its functions Discuss.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.

COS/PSA 413 Day 17. Agenda Lab 8 write-up grades –3 B’s, 1 C and 1 F –Answer the Questions!!! Capstone progress report 2 overdue Today we will be discussing.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics
Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

Click to edit Master subtitle style Chapter 17: Troubleshooting Tools Instructor:

Similar presentations

Ads by Google